Final CCPA Regulations Approved, Effective Immediately

Privacy & Cybersecurity Update

Date: August 21, 2020

Key Notes:

  • The California Office of Administrative Law approved the final version of the California Consumer Privacy Act’s implementing regulations.
  • The final regulations are materially the same as the June 1, 2020 draft.
  • The regulations are effective immediately.

While the California Consumer Privacy Act (CCPA) has been in effect since January 1 and the enforcement of the Act began on July 1, the implementing regulations were not in place on either date. After a lengthy administrative process, those regulations are finally in place. The final step was taken when the state’s Office of Administrative Law (OAL) approved those regulations, effective as of August 14, 2020. The approval of these final regulations establishes specific content and administrative compliance obligations for businesses subject to the CCPA. All businesses subject to the CCPA must now comply with both the statute and the final regulations.

While the final implementing regulations are similar to the draft proposed to the OAL on June 1, 2020, the OAL made additional revisions to the proposed regulations during its review process, and also published an “Addendum” to its Final Statement of Reasons, which sets forth its rationale and justifications for these revisions. Although the revisions were mostly non-substantive changes for accuracy, consistency, and clarity (e.g., ensuring “consumer” is used throughout the regulations), OAL did amend or withdraw several provisions, including the following: (i) consumer consent for materially different data processing, (ii) changing the “do not sell” notice language, (iii) offline opt-out minimum requirements and notices, (iv) methods for accepting opt-out requests, and (v) verification of an authorized agent.

Removal of Consumer Consent Requirement for Materially Different Data Processing

With the removal of Section 999.305(a)(5) from the CCPA regulations, businesses are no longer required to obtain consumers’ explicit consent before using their personal information for a “materially different” purpose than previously disclosed. Although this may provide some flexibility, businesses need to be mindful of other CCPA provisions and general consumer protection laws, which broadly prohibit deceptive acts and practices, such as the Federal Trade Commission Act. In other words, using personal information for purposes other than what was disclosed to consumers at the time of collection still carries with it very substantial liability risks, even under the CCPA itself.

The Shorter “Do Not Sell My Info” Notice/Link Option Deleted

Section 999.306(b)(1) previously allowed businesses to provide the notice of the right to “opt-out” by providing a link stating either “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The final regulations removed the “Do Not Sell My Info” option to mirror the language of the CCPA statute.

The Offline “Do Not Sell” Opt-Out Notice Requirement Removed

The removal of Section 999.306(b)(2) alleviates the obligations, which only applied to businesses that substantially interact with consumers in an offline environment, that they provide consumers with notice of their right to opt-out through an “offline method,” such as a printed notice. Accordingly, the CCPA regulations only require such notice to be posted on a business’s website or (in the event the business does not operate a website) through “another method” that properly informs consumers of their right to opt-out, such as by directing consumers to their online opt-out form. Businesses are still required, however, to provide a “notice at collection,” including when businesses collect personal information offline (e.g., printed forms, telephonic collection).

Request to Opt-Out of the Sale of Personal Information

Section 999.315(c) has been withdrawn from the CCPA regulations in full. As previously written, it would have mandated that the opt-out process be “easy,” with minimal steps required to facilitate such a demand, and it prohibited a business from using methods that subverted or impaired a consumer’s ability to make a decision to opt-out. The vagueness of that requirement caused considerable compliance uncertainty. Businesses still are required, however, to offer “a global option to opt-out of the sale of all personal information” under section 999.315(a) and to provide two methods for submitting such a request.

Accepting Requests from Authorized Agents

Section 999.326(c) has been removed from the CCPA regulations. This provision would have allowed businesses to deny requests submitted by authorized agents on behalf of consumers if the authorized agents did not submit “proof” of authorization by the consumer. This change, however, does not appear to substantively alter businesses’ ability to refuse requests from authorized agents as that process is also detailed in the sections of the regulations that cover each type of request. For instance, section 999.315(f) permits businesses to deny a request to opt-out that is submitted from an authorized agent if the agent does not provide the consumer’s “signed permission” to act on his or her behalf.

Conclusion

While July 1, 2020 marked the CCPA’s enforcement date, the final regulations solidify businesses’ compliance requirements. Accordingly, businesses who have not yet implemented the unique disclosure and business process requirements set forth under the CCPA’s final regulations should take immediate steps to bring their programs into compliance. The International Association of Privacy Professionals published a series of articles by Thompson Hine that addresses the more complicated aspects of the CCPA, and these articles can be accessed here. In fact, some of the recent changes to the CCPA regulations directly align with the thoughts and concerns raised by Thompson Hine in these articles.

As we have previously noted, the California Privacy Rights Act (CPRA) initiative remains on track to appear on the November 2020 ballot and may add more California privacy requirements and impact the CCPA.

FOR MORE INFORMATION

If you have any questions on how the finalized regulations may affect your business, please contact one of the Thompson Hine attorneys listed below.

Thomas F. Zych
216.566.5605
Tom.Zych@ThompsonHine.com

Steven G. Stransky
216.566.5646
202.263.4126
Steve.Stransky@ThompsonHine.com

Darcy M. Brosky
216.566.5774
Darcy.Brosky@ThompsonHine.com

Craig A. Foster
614.469.3280
Craig.Foster@ThompsonHine.com

Mona Adabi
202.263.4147
Mona.Adabi@ThompsonHine.com

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

© 2020 THOMPSON HINE LLP. ALL RIGHTS RESERVED.